Google Reveals Actively Exploited Windows Kernel Vulnerability

[Lucian Armasu]

Google made public two new critical vulnerabilities in Flash and Windows, one of which has yet to be fixed by Microsoft.

Google Reveals Actively Exploited Windows Kernel Vulnerability : Read more

 

[ah]

My windows updated Flash security on 28 Oct, but I don't think it also included the windows bug fix.

 

[alextheblue]

They gave them a week to patch (and test for issues) a kernel-level vulnerability before disclosing? Yikes.

 

[bit_user]

I wish Google would run their security tests on this:

https://www.reactos.org

If it passes, I'd probably give it a try.

 

[Paladiam]

More like Government back door access found.

 

[hst101rox]

Is Windows XP vulnerable? I'm going to assume "Yes!"

 

[Tanyac]

I'm wondering, given Microsoft's new "monthly" patch cycle whether they will even both to do anything until the November patch release.

Since Microsoft has clearly demonstrated with recent policy changes that customer safety, satisfaction and sanity are the least important things to them I'd not be surprised if we don't see a patch for at least another week, maybe more...

 

[Jan_26]

A week for implementation, testing, validation and signing of a change in kernel is plain insanity.

 

[WFang]

[quotemsg=18807656,0,5190]They gave them a week to patch (and test for issues) a kernel-level vulnerability before disclosing? Yikes.[/quotemsg]

[quotemsg=18808184,0,2278136]A week for implementation, testing, validation and signing of a change in kernel is plain insanity.[/quotemsg]

Guys, NOT disclosing details of a vulnerability that is ACTIVELY being exploited in the wild is a far greater insanity!
Sure, you can easily argue that any sane find+patch+Quality Control cycle on such a bug would be more than 7 days, that is rather irrelevant. It is MUCH more important to get the warning out to IT and SysAdmins (of critical infrastructure and functions).

It's like complaining about how it is 'plain insanity' to expect fire-fighters to completely put out and control a fire in a 40 story hotel within 1 hour and that therefore one should not alert new and existing guests of the hotel that there is, in fact, a fire going on. "Nah, let them into the lobby man, the firefighters only had an hour to work on this, no reason to alert anyone just yet"...

Clearly, it would take longer to put out such a fire; and clearly, all the guests and prospecting guests need to be alerted ASAP.
The two actions are not mutually exclusive!

 

[gggplaya]

[quotemsg=18807656,0,5190]They gave them a week to patch (and test for issues) a kernel-level vulnerability before disclosing? Yikes.[/quotemsg]

They give 90 days to lower risk and lower actively exploited vunerabilities. But for high risk and highly actively exploited attacks, they only give 7 days and light a fire under microsofts butt to fix it. Otherwise, microsoft might be relaxed and wait the full 90 days to fix it. Leaving us consumers under attack for the full 3 months.

 

[coolitic]

As much as I dislike security flaws, I disapprove of Google taking a strong-arm approach to force companies to fix them.

 

[gggplaya]

[quotemsg=18809316,0,746565]As much as I dislike security flaws, I disapprove of Google taking a strong-arm approach to force companies to fix them.[/quotemsg]

Letting the public know they're being attacked is strongarm?

 

[Jan_26]

I don't mind strong arm, but the deadlines need to be possible to reach. This way only thing Google reaches is just significantly increased security risk.
To paraphrase WFang, it's equivalent to go and tell band of pyromaniacs there is unguarded wagon of nitroglycerine parked on main street.

 

[XaveT]

But the pyros ALREADY KNOW about the wagon (since it's already actively being exploited). The wagon owners don't know that the pyros know it's there (consumers/professionals don't know the attack exists so they can't protect against it or watch out for the attacks)

 

[bit_user]

Let's step away from the analogies, for a minute.

Look, the real question is whether 7 days is enough. Google seems to think so, and I happen to agree. For most of these security flaws, the fix can be coded in an hour and is relatively isolated. For most of these changes, 24-48 hours of testing should be more than enough. Google is hardly new to software development, and Android is certainly nearing the complexity of Windows.

It's true that there are some security flaws that are more systemic and require a much bigger lift, but I'm sure Google would be reasonable if MS reached out to them and explained the situation and what they're doing about it.

 

[alextheblue]

[quotemsg=18808184,0,2278136]Guys, NOT disclosing details of a vulnerability that is ACTIVELY being exploited in the wild is a far greater insanity!
Sure, you can easily argue that any sane find+patch+Quality Control cycle on such a bug would be more than 7 days, that is rather irrelevant. It is MUCH more important to get the warning out to IT and SysAdmins (of critical infrastructure and functions).[/quotemsg]
[quotemsg=18809614,0,328798]Let's step away from the analogies, for a minute.

Look, the real question is whether 7 days is enough. Google seems to think so, and I happen to agree. For most of these security flaws, the fix can be coded in an hour and is relatively isolated. For most of these changes, 24-48 hours of testing should be more than enough. Google is hardly new to software development, and Android is certainly nearing the complexity of Windows.

It's true that there are some security flaws that are more systemic and require a much bigger lift, but I'm sure Google would be reasonable if MS reached out to them and explained the situation and what they're doing about it.
[/quotemsg]
Yes let's set aside the bad analogies. Bit, that would be a great idea. You should suggest it to Google. They have some flexibility on their 90 day reveals. But the other policy? Currently, if MS says give us more time, Google says sorry can't do that. Tell your guys to sleep in the office and miss the kid's piano performance. Their deadline for this type of "actively exploited" vulnerability is a hard 7 days and that's the reality of the situation.

Regarding Android, it's gotten more complex but still not on the level of Windows. So I'm not sure how much relevance that has. Either way, Google didn't set that deadline for themselves, but rather for other vendors (competitors). If they find a critical currently-exploited vulnerability in their own code, they might conveniently forget to start the clock on the 7 day deadline. Sadly when they patch Android, who knows if/when the patch will migrate to most of the devices on the market.

 

[Jan_26]

[quotemsg=18812532,0,5190]
Yes let's set aside the bad analogies. Bit, that would be a great idea. You should suggest it to Google. They have some flexibility on their 90 day reveals. But the other policy? Currently, if MS says give us more time, Google says sorry can't do that. Tell your guys to sleep in the office and miss the kid's piano performance. Their deadline for this type of "actively exploited" vulnerability is a hard 7 days and that's the reality of the situation.
[/quotemsg]

Tbh, I wouldn't miss an event like "kid's piano performance". There are plenty developer jobs, but events with your kids are unrepeatable and irreplacible.

 

[virtualban]

M$'r lawyers and bureaucrats need more time to find programmers and engineers ready to try fix the bugs in secret and take the blame for any failure and delay.

 

[alextheblue]

[quotemsg=18812884,0,2278136]Tbh, I wouldn't miss an event like "kid's piano performance". There are plenty developer jobs, but events with your kids are unrepeatable and irreplacible.[/quotemsg]

Exactly what I was trying to imply. Engineers have lives too. If seven days isn't enough, it's not enough. Google doesn't see it that way when it's a competitor's product. If they find an issue in their own code, exploited or not, they fix it on their own timetable. It's an unfair policy, and they need to be more flexible.

 

[alextheblue]

MS says they are currently working with multiple industry participants to test the patch and expect to release it on the 8th. Similar to Chrome on Win10, Edge on Anniversary Update is unaffected.

 

[bit_user]

[quotemsg=18817281,0,5190]MS says they ... expect to release it on the 8th.[/quotemsg]Great. After Putin will have already used this exploit to disrupt the election.

 

[alextheblue]

[quotemsg=18819542,0,328798][quotemsg=18817281,0,5190]MS says they ... expect to release it on the 8th.[/quotemsg]Great. After Putin will have already used this exploit to disrupt the election.

[/quotemsg]

LOL. As you well know, the actual intrusions took place some time ago. There were ways to better secure the devices in question, regardless. Having little to no additional security in place for important systems is a mistake. Also given how recently Google notified them, I'd say their response was pretty fast. Couple of weeks basically including testing.

Anyway, don't want dirty laundry aired? Don't have quite so MUCH dirty laundry TO air. What a treasure trove of emails. Pick a better candidate. Even Bernie would have been a better pick in some regards. On the other side I'd have liked to see Fiorina be more aggressive and gain more traction. Regardless Putin plays both sides, he's worked with the Democrats as well - how quickly we forget Obama's (oops is that camera on) moment of "flexibility" with Putin, and the Russians funneling millions to the Clinton Foundation. Putin is showing the Obamas and the Clintons alike how little he thinks of them and their previous "understanding".

Something else hilarious: Neither candidate knows squat about "The Cyber" or how to secure it!

 

[Jan_26]

[quotemsg=18821842,0,5190][quotemsg=18819542,0,328798][quotemsg=18817281,0,5190]MS says they ... expect to release it on the 8th.[/quotemsg]Great. After Putin will have already used this exploit to disrupt the election.

[/quotemsg]

LOL. As you well know, the actual intrusions took place some time ago. There were ways to better secure the devices in question, regardless. Having little to no additional security in place for important systems is a mistake. Also given how recently Google notified them, I'd say their response was pretty fast. Couple of weeks basically including testing.

Anyway, don't want dirty laundry aired? Don't have quite so MUCH dirty laundry TO air. What a treasure trove of emails. Pick a better candidate. Even Bernie would have been a better pick in some regards. On the other side I'd have liked to see Fiorina be more aggressive and gain more traction. Regardless Putin plays both sides, he's worked with the Democrats as well - how quickly we forget Obama's (oops is that camera on) moment of "flexibility" with Putin, and the Russians funneling millions to the Clinton Foundation. Putin is showing the Obamas and the Clintons alike how little he thinks of them and their previous "understanding".

Something else hilarious: Neither candidate knows squat about "The Cyber" or how to secure it![/quotemsg]

Well, the fact they don't know anything about cyber wouldn't be that serious if they followed guidance of specialists who do. After all it's impossible to know everything. But honestly, from what can be seen from outsider's point of view, I really don't know which candidate is worse. Neither of them is a person I'd be calm to see being elected as a supreme leader of nuclear (and other 'goodies') weaponry equipped army.

 

[bit_user]

[quotemsg=18821842,0,5190]Anyway, don't want dirty laundry aired? Don't have quite so MUCH dirty laundry TO air. What a treasure trove of emails.[/quotemsg]I was just talking about the voting. Given how the vote is decentralized, it's infeasible for Putin to rig a win for Trump, but all he has to do is plant some evidence in swing states of it being rigged for Hillary.

That will sew some chaos, and that's his goal. He wants to show the world (his own people, in particular) what bad idea this "democracy" thing really is. Taking us down a peg is just bonus.

 

[alextheblue]

He might not need to plant evidence, if they can tamper with the voting directly and then draw attention to it. That would shake voter confidence. I for one certainly don't trust our government to secure anything - and not just from a technological aspect. Our people are easily compromised too. But I digress... I think he's more interested in flaunting his own power, more so than elevating or taking down anyone else. I believe the reason he chose to attack Hillary has little to do with trying to get Trump elected, but rather he is sending the one more likely to win a message.